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Amendments to the Claims 
This listing of claims will replace all prior versions of claims in the application: 
Listing of Claims: 

1. (Currently Amended) A security analysis tool for an automation system, comprising: 
an interface component that generates a description of one or more industrial controllers 

devices on a network , wherein the description includes at least a learned pattern of network 
activity at least one of shop floor access patterns. Intranet access patterns, Internet access 
patterns, or wireless access patterns ; 

a user interface that accepts input defining a pattern threshold, the pattern threshold 
specifying an acceptable deviation from the learned access pattern: 

an analyzer component that generates one or more security outputs based on the 
description if a current access pattern deviates from the learned access pattern in excess of the 
acceptable deviation , the one or more security outputs including at least one output deployed to 
the one or more industrial controllers that adjusts a security parameter that alters the current 

a validation component that periodically monitors the one or more industrial controllers 
devices following deployment of the one or more security outputs to determine one or more 
vulnerabilities related thereto. 

2. (Previously Presented) The tool of claim 1, at least one of the interface component or the 
analyzer component operate on a computer and receive one or more factory inputs that provide 
the description. 

3. (Previously Presented) The tool of claim 2, the factory inputs include at least one of user 
input, model inputs, schemas, formulas, equations, files, maps, or codes. 
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4. (Previously Presented) The tool of claim 2, the factory inputs are processed by the 
analyzer component to generate the security outputs, the security outputs including at least one 
of manuals, documents, schemas, executables, codes, files, e-mails, recommendations, 
topologies, configurations, application procedures, parameters, policies, rules, user procedures, 
or user practices that are employed to facilitate security measures in an automation system. 

5. (Previously Presented) The tool of claim 1, the interface component includes at least one 
of a display output having associated display objects and at least one input to facilitate operations 
with the analyzer component, the interface component is associated with at least one of an 
engine, an application, an editor tool, a web browser, or a web service. 

6. (Previously Presented) The tool of claim 5, the display objects include at least one of 
configurable icons, buttons, sliders, input boxes, selection options, menus, or tabs, the display 
objects having multiple configurable dimensions, shapes, colors, text, data and sounds to 
facilitate operations with the analyzer component. 

7. (Currently Amended) The tool of claim 5, the at least one input includes receiving user 
commands from at least one of a mouse, a keyboard, speech input, a web site, a remote web 
service, a camera, or video input to affect operations of the interface component and the analyzer 
component. 

8. (Previously Presented) The tool of claim 1, the description includes a model of one or 
more industrial automation assets to be protected and associated network pathways to access the 
one or more industrial automation assets. 

9. (Previously Presented) The tool of claim 1, the description includes at least one of risk 
data or cost data that is employed by the analyzer component to determine suitable security 
measures. 

10-11. (Cancelled) 
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12. (Currently Amended) A security analysis method, comprising: 

inputting at least one model related to one or more industrial controllers automation 
devices ; 

generating one or more security outputs based on the at least one model; and 

automatically installing one or more security components based at least in part on the one 
or more security outputs; 

monitoring access to the one or more industrial controllers automation devices for a 
predetermined training period to learn at least one access pattern; and 

defining a pattern threshold specifying an acceptable deviation from the at least one 
access pattern; and 

performing at least one automated security event if a detected deviation a current access 
pattern deviates from the at least one access pattern exceeds a tolerance in excess of the 
acceptable deviation after the training period[[.]] 4 

wherein performing the at least one automated security event includes at least altering a 
network traffic pattern associated with the one or more industrial automation devices. 

13. (Previously Presented) The method of claim 12, wherein inputting the at least one model 
includes inputting at least one model that is related to at least one of a risk-based model or a cost- 
based model. 

14. (Previously Presented) The method of claim 12, wherein generating the one or more 
security outputs includes generating one or more security outputs that include at least one of 
recommended security components, codes, parameters, settings, related interconnection 
topologies, connection configurations, application procedures, security policies, rules, user 
procedures, or user practices. 



4 



10/661,696 



03AB014C/ALBRP303USC 



15. (Currently Amended) The method of claim 12, further comprising: 
automatically deploying the one or more security outputs to the one or more industrial 

controllers automation devices ; and 

utilizing the one or more security outputs to mitigate at least one of unwanted network 
access or network attack. 

16. (Currently Amended) A security analysis system in an industrial automation 
environment, comprising: 

means for receiving abstract descriptions of one or more industrial controllers automation 
devices ; 

means for learning at least one access pattern for accessing the one or more industrial 
controllers devices ; 

means for generating one or more security outputs based on the abstract descriptions; 

means for automatically distributing the one or more security outputs to facilitate network 
security in the industrial automation environment; 

means for defining a pattern threshold that specifies an acceptable deviation from the at 
least one access pattern learned by the means for learning; 

means for automatically detecting a deviation that a current access pattern deviates from 
the at least one access pattern that exceeds a threshold in excess of the acceptable deviation ; and 

means for performing an automated action that alters [[a]] the current access pattern 
based at least in part on the detected deviation in response to the detecting . 
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17. (Currently Amended) A security validation system, comprising: 

a scanner component that automatically interrogates an industrial automation device on a 
network at periodic intervals for security^elated data; 

a validation component that automatically assesses security capabilities of the industrial 
automation device based upon a comparison of the security z related data and one or more 
predetermined security guidelines; 

a security analysis tool that recommends at least one interconnection of one or more 
industrial automation devices to achieve a specified security goal indicated by the predetermined 
security guidelines ; and 

a component that automatically adjusts at least one security parameter in the industrial 
automation device alters at least one traffic pattern on the network in response to detected 
security events detecting that a current pattern of access on the network has deviated from a 
learned pattern of access in excess of a defined pattern threshold . 

18. (Cancelled) 

19. (Previously Presented) The system of claim 17, the validation component performs at 
least one of a security audit, a vulnerability scan, a revision check, an improper configuration 
check, file system check, a registry check, a database permissions check, a user privileges check, 
a password check, or an account policy check. 

20. (Original) The system of claim 17, the security guidelines are automatically determined. 

21 . (Previously Presented) The system of claim 46, the host-based component performs 
vulnerability scanning and auditing on devices, the network-based component performs 
vulnerability scanning and auditing on networks. 

22. (Cancelled) 
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23. (Previously Presented) The system of claim 21, at least one of the host-based component 
or the network-based component at least one of non-destructively maps a topology of 
information technology (IT) and industrial automation devices, checks revisions and configura- 
tions, checks user attributes, or checks access control lists. 

24. (Cancelled). 

25. (Currently Amended) The system of claim 17, further comprising a component that 
initiates a security action in response to the detected security events detecting that the current 
pattern of access on the network has deviated from the learned pattern of access in excess of the 
predefined pattern threshold , the security action includes at least one of automatically correcting 
the security events, automatically adjusting security parameters, altering network traffic patterns, 
add security components, removing security components, firing alarms, automatically notifying 
entities about detected problems and concerns, generating an error or log file, generating a 
schema, generating data to re-configure or re-route network connections, updating a database, or 
updating a remote site. 

26. (Currently Amended) An automated security validation method, comprising: 
monitoring a network comprising one or more industrial automation devices to learn at 

least one access pattern; 

defining a pattern threshold that specifies an allowable deviation from the at least one 
access pattern; 

scanning the one or more industrial automation devices for potential security violations at 
periodic intervals[[,]] wherein identity information about end devices having potential for hacker 
entry is gained ; 

performing an automated security procedure that adjusts at least one security parameter 
on the one or more industrial automation devices based at least in part on the potential security 
violations if the scanning determines that a current access pattern deviates from the at least one 
access pattern in excess of the allowable deviation ; and 

determining whether the one or more industrial automation devices conforms to one or 
more network security standards following performing the automated security procedure thereon. 
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27. (Previously Presented) The method of claim 26, further comprising at least one of: 
checking for susceptibility to network-based attacks; 

searching for open Transmission Control Protocol/User Datagram Protocol (TCP/UDP) 
ports; or 

scanning for vulnerable network services. 

28. (Previously Presented) The method of claim 26, further comprising at least one of: 
automatically performing security assessments; 

automatically performing security compliance checks; or 
automatically performing security vulnerability scanning. 

29. (Previously Presented) The method of claim 26, wherein performing an automated 
security procedure includes performing an automated security procedure that includes at least 
one of automatically performing corrective actions, altering network patterns, adding security 
components, removing security components, adjusting security parameters, or generating 
security data to mitigate network security events. 

30. (Currently Amended) An automated security validation system, comprising: 
means for monitoring an industrial network comprising one or more industrial 

automation devices to learn at least one access pattern; 

means for defining a pattern threshold that specifies an allowable deviation from the at 
least one access pattern; 

means for scanning the one or more industrial automation devices for potential security 
violations; 

means for initiating a security procedure that adjusts at least one security parameter in the 
one or more industrial automation devices in response to the potential security violations if the 
means for scanning identifies that a current access pattern deviates from the at least one access 
pattern in excess of the allowable deviation ; 

means for performing at least one of security assessments, security compliance checks, or 
security vulnerability scanning of the one or more industrial automation devices to mitigate the 
potential security violations based at least in part on the initiated security procedure; and 
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means for determining whether the automated security validation system conforms to one 
or more network security standards based on at least one of the security assessments, the security 
compliance checks, or the security vulnerability scanning. 

3 1 . (Currently Amended) A security learning system for an industrial automation 
environment, comprising: 

a learning component that monitors and learns industrial automation network access 
activities during a training period to determine at least one network access pattern ; and 

a user interface that accepts first input specifying an acceptable deviation from the at least 
one network access pattern; and 

a detection component that automatically triggers a security event based upon detected 
deviations of subsequent industrial automation network access activities in excess of the 
acceptable deviation after the training period, wherein the security event includes adjusting at 
least one security parameter that alters a network traffic pattern associated with the industrial 
automation environment. 

32. (Currently Amended) The system of claim 3 1 , the industrial automation activities include 
at least one of a network activity or a device activity wherein the user interface accepts second 
input specifying a type of network access activity to be monitored by the learning component 
during the training period . 

33. (Currently Amended) The system of claim 31, the learning component including at least 
one of a learning model or a variable. 

34. (Currently Amended) The system of claim 3 1, the industrial automation network access 
activities include at least one of a number of network requests, a type of network requests, a time 
of requests, a location of requests, status information, or counter data. 

35. (Previously Presented) The system of claim 31, the detection component employs at least 
one of a threshold or a range to determine the deviations. 
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36. (Currently Amended) The system of claim 35, the at least one of the threshold or the 
range are dynamically adjustable via the user interface , 

37. (Previously Presented) The system of claim 33, the learning model includes at least one 
of mathematical models, statistical models, probabilistic models, functions, algorithms, neural 
networks, classifiers, inference models, Hidden Markov Models (HMM), Bayesian models, 
Support Vector Machines (SVM), vector-based models, or decision trees. 

38. (Currently Amended) The system of claim 31, the security event further includes at least 
one of automatically performing corrective actions, altering network patterns, adding security 
components, removing security components, adjusting security parameters, firing triggering an 
alarm, notifying an entity, generating an e-mail, interacting with a web site, or generating 
security data to mitigate network security problems. 

39. (Currently Amended) A security learning method, comprising: 

monitoring a network of industrial controllers devices for a predetermined time; 

automatically learning at least one data transfer pattern of the network of industrial 
controllers devices during the predetermined time; 

defining a pattern threshold specifying an acceptable deviation from the at least one data 
transfer pattern; and 

generating an alarm and altering network activity to adjust a current data transfer pattern 
if the current data transfer pattern is determined to be outside of a predetermined the pattern 
threshold with respect to the at least one data transfer pattern . 

40. (Currently Amended) The method of claim 39, further comprising: 

employing the at least one data transfer pattern as input for a security analysis process; 

and 

adjusting at least one security parameter associated with the network of industrial 
controllers devices based on the security analysis process and the input. 
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41. (Currently Amended) A security learning system in an automation environment, 
comprising: 

means for scanning a network; 

means for learning access patterns with respect to at least one industrial automation 
device from on the network; and 

means for defining a pattern threshold specifying an acceptable deviation from at least 
one stored access pattern; and 

means for generating a security event that disables network requests from at least one 
outside network upon determining that the access patterns learned by the means for learning are 
out of tolerance with the at least one stored access pattern[[s]] by more than the acceptable 
deviation . 

42-44. (Cancelled) 

45. (Previously Presented) The tool of claim 1, the analyzer component is adapted for 
partitioned security specification entry and sign-off from various groups. 

46. (Previously Presented) The system of claim 17, the scanner component and the validation 
component are at least one of a host-based component or a network-based component. 

47. (Previously Presented) The system of claim 21, at least one of the host-based component 
or the network-based component at least one of determines susceptibility to common network- 
based attacks, searches for open Transmission Control Protocol/User Datagram Protocol 
(TCP/UDP) ports, scans for vulnerable network services, attempts to gain identity information 
about end devices that relates to hacker entry, or performs vulnerability scanning and auditing on 
firewalls, routers, security devices, and factory protocols. 

48. (Previously Presented) The system of claim 1, the validation component automatically 
installs one or more security components in response to the one or more vulnerabilities. 
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49. (Currently Amended) The system of claim 1, wherein the analyzer component further 
performs an automated action that alters access patterns to the one or more industrial controllers 
disables network requests from at least one outside network upon detecting a deviation of the 
current access pattern from the at least one of shop floor access patterns, Intranet access patterns, 
Internet access patterns, or wireless access patterns learned pattern of network activity in excess 
of a threshold the acceptable deviation . 

50. (Currently Amended) The system of claim 12, wherein the at least one automated 
security event includes at least disabling network attempts to access the one or more industrial 
controllers automation devices . 

51. (New) The method of claim 12, wherein the monitoring access to the one or more 
industrial automation devices comprises at least one of monitoring a number of network requests 
to or from the one or more industrial automation devices over a given time frame or monitoring a 
type of request to and from the one or more industrial automation devices during the training 
period. 



12 



